flex-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Eugene Ramirez <ramirez.eug...@gmail.com>
Subject Re: access PDF doc from inside Flex app but not outside?
Date Sun, 06 Apr 2014 00:26:22 GMT
I have files stored on the server which can either be inside a database or
some other file the servlet has access but not under the public_html
directory and while I'm using JBOSS the servlet is the one that returns the
file the user has requested.

The piece of code the servlet executes is:

//find out the filename using some logic and checking if the user has
access rights
//once I have it I execute the following code:

File file=new File(filename);
if (file.exists()){
resp.setContentType("application/x-download");
resp.setHeader("Content-Disposition", "attachment; filename=" +
clientFilenameToBeSavedAs);
returnFile(filename, resp.getOutputStream());
}else{
//System.out.println("file DOES NOT exist:" + filename);
                       //error handling goes here
}




returnFile method

  public static void returnFile(String filename, OutputStream out)
throws FileNotFoundException, IOException {
InputStream in = null;
try {
in = new BufferedInputStream(new FileInputStream(filename));
byte[] buf = new byte[4 * 1024]; // 4K buffer
int bytesRead;
while ((bytesRead = in.read(buf)) != -1) {
out.write(buf, 0, bytesRead);
}
} finally {
if (in != null) in.close();
}
}



My FLEX code that will call the servlet method:


private function startDownloadingFile(attachment:Attachment):void{
if (_downloadFileRef==null) _downloadFileRef=new FileReference();
 var req:URLRequest=new URLRequest(SERVER_URL);
var variables:URLVariables=new URLVariables();
variables.command=DOWNLOAD_ATTACHMENT;
variables.attachmentId=attachment.id;
variables.sessionId=Params.getInstance().get("sessionId");
req.data=variables;
_downloadFileRef.addEventListener(ProgressEvent.PROGRESS,
downloadFileRef_progress);
_downloadFileRef.addEventListener(Event.COMPLETE, downloadFileRef_complete);
_downloadFileRef.addEventListener(Event.CANCEL,downloadFileRef_cancel);
try{
mx.managers.CursorManager.setBusyCursor();
_downloadFileRef.download(req,attachment.filename);
}catch(error:Error){
mx.managers.CursorManager.removeBusyCursor();
Alert.show("unable to download file","Error downloading file");
}
}


Note: My user has already been authenticated by the server and has a
sessionId that is unique to the user.  On the server I have this sessionId
stored with a reference to the user.  Anytime someone wants to download a
file I check the sessionId and see if its:
 1) Valid
 2) The filename the user is trying to download has access to download the
file

The servlet goes and gets the file that is not in a public directory and
sends it over.

Others might have a different method of doing this but this works for me.

Hopefully this helps.
Ruben



On Fri, Apr 4, 2014 at 3:28 PM, Maurice Amsellem <
maurice.amsellem@systar.com> wrote:

> >how does the servlet open the PDF in a new (client) browser window
> It's not the servlet, it's the flex app that is responsible of opening the
> new window.
> The servlet will simply read the bytes of the PDF file and write them to
> the output stream, as if it was a static file (that what the http server
> does actually)
>
> > And when it does open the PDF in a new browser window, wouldn't the full
> URL including token be shown in the browser (if so, someone could copy this
> URL and e-mail to someone else to open it)?
> The "security token" would be valid for the current user session only. You
> could for example use the jsessionid as a key (or something similar).
> So if someone else that is not logged tries the same url, it will not work.
>
> Maurice
>
> -----Message d'origine-----
> De : modjklist@comcast.net [mailto:modjklist@comcast.net]
> Envoyé : samedi 5 avril 2014 00:23
> À : users@flex.apache.org
> Objet : Re: access PDF doc from inside Flex app but not outside?
>
> I call a few Java servlets in my app using HTTPService(), although my app
> is not contained in a JEE Web App as far as I know.
>
> Let me see if I follow... the servlet is called from within Flex using a
> specific URL. I can append some text representing a "security token" on
> that URL, which the servlet validates then ... hmm, how does the servlet
> open the PDF in a new (client) browser window (maybe you can refer me to a
> specific command I can research to figure that out)?
>
> And when it does open the PDF in a new browser window, wouldn't the full
> URL including token be shown in the browser (if so, someone could copy this
> URL and e-mail to someone else to open it)?
>
>
> ----- Original Message -----
>
> From: "Maurice Amsellem" <maurice.amsellem@systar.com>
> To: users@flex.apache.org
> Sent: Friday, April 4, 2014 3:05:50 PM
> Subject: RE: access PDF doc from inside Flex app but not outside?
>
> Then the PDF files would be stored in the private area of the web-app
> (under WEB-INF) , so they can't be accessed directly.
>
> There are probably variants of this, but I think you get the idea.
>
> -----Message d'origine-----
> De : Maurice Amsellem [mailto:maurice.amsellem@systar.com]
> Envoyé : samedi 5 avril 2014 00:04
> À : users@flex.apache.org
> Objet : RE: access PDF doc from inside Flex app but not outside?
>
> If your app is contained in a JEE Web App, you could probably write a
> servlet to download the PDF securely, using a "security token" or something.
> The Flex App would simply request the servlet through its url to get the
> PDF, and pass it the security token.
>
> Makes sense ?
>
> Maurice
>
> -----Message d'origine-----
> De : modjklist@comcast.net [mailto:modjklist@comcast.net] Envoyé :
> vendredi 4 avril 2014 23:45 À : apache flex users Objet : access PDF doc
> from inside Flex app but not outside?
>
> I have a desktop Flex app that users register and login. I need to provide
> these users access to technical documents in PDF format. However, I don't
> want to put these docs in my server's public_html directory because then
> any visitor can potentially view them. Is there any way for the Flex app to
> open these PDF files in a new browser window, while preventing their access
> by website visitors? That is, the files can only be opened when logged into
> the app, and not by copying and pasting a link in an email that goes to
> someone else for them to open in any browser.
>
> I understand the user can simply download the PDF file and e-mail it if
> he/she really wants to (I'm just trying to make it a little more difficult).
>
> I was thinking maybe there was a way to place the PDF files somewhere in
> the Java application server since only Flex has access there (a firewall
> blocks website visitors). Thought maybe someone ran into this before and
> could help me see what's possible.
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message